Version 3.0 Last Updated: July 2020
Cafico Corporate Services Limited, trading as Cafico International, is an independent Trust and Corporate Services Provider engaged in the provision of corporate administration, accounting and fiduciary services to international companies and financial institutions seeking a cost-effective, tailored solution when doing business in Ireland through Irish subsidiary or orphan companies (“Clients”). Cafico Corporate Services Limited, also has a subsidiary in Luxembourg, Cafico Corporate Services (Luxembourg) S.à r.l.
We work closely with financial institutions and local lawyers in both jurisdictions in the provision of a range of corporate administration, accounting and fiduciary services.
Please read this data privacy notice carefully, as it applies to all of our interactions with you. Should you have any queries in respect of this notice, please do not hesitate to contact us.
In Ireland, by telephone on 00353 1 905 8020.
In Luxembourg, by telephone on 00352 27 86 29 50.
Key GDPR Terms
A data controller is an entity that determines the purposes and means of data processing (either alone or together with others), i.e. the entity making the decisions as to how and why personal data is processed.
A data processor is any entity that processes personal data on behalf of the controller.
An identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Any information relating to a data subject.
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Special Categories of Personal Data
Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purposes of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Who is the Data Controller?
With the exception of circumstances in which Cafico International is engaged in the processing of personal data of the directors, officers, duly appointed attorneys or legal representatives, authorised signatories, employees, customers, shareholders, ultimate beneficial owners, or personnel connected with professional advisers or service providers of its Clients or affiliated companies thereof, for the purposes of providing corporate administration, accounting and fiduciary services pursuant to a written contract (the “Services”), Cafico International is a data controller responsible for your information when you interact with us. Where Cafico International is engaged in providing the Services, Cafico International will be acting as a data processor, and the Client will be acting as a data controller.
The registered office address of Cafico International in Ireland is Palmerston House, Denzille Lane, Dublin 2, Ireland.
The registered office address of Cafico Corporate Services (Luxembourg) S.à r.l. is 10 Rue des Capucins, L-1313, Luxembourg.
Personal Data That We Process
Cafico International processes personal data to establish and maintain efficient service-orientated business relationships with Clients, for the purposes of establishing and maintaining professional relationships with other third parties such as legal advisors and audit firms, and for the purposes of recruitment and the establishment and maintenance of employment relationships. We process personal data in accordance with all applicable data protection laws and regulations, including the General Data Protection Regulation (“GDPR”).
The data we process depends on the context of your interactions with us and the choices you make. Where Cafico International is acting as a data processor, it is anticipated that written contracts with Clients will be supplemented with a data processing addendum setting out the exact terms of processing between the Client and Cafico International, including the duration, purpose and categories of personal data being processed.
The data we process can include the following:
- Identity and contact information: first and last name, date of birth, gender, nationality and citizenship, marital status, occupation, job title, employer, email address, residential or business address, phone and fax numbers and other similar contact data (whether in a personal or professional capacity), tax residency and tax related information, PPS number (or foreign equivalent), family details, copies of ID and other identification documents.
- Recruitment data: work experience data, educational credentials, references, and information on other skills potential candidates may have, where we are seeking to recruit for open opportunities, or where candidates contact us seeking such opportunities.
- Job related data: current position, absence records, holiday records, salary details, tax details, compensation and benefits, performance goals and targets, appraisals and reviews, training records, and managerial reports in respect of employees.
- Payment data: personal data which is necessary to process any payments due to you, such as payments due under contracts of employment.
- Directorships data: details of other directorships held by you.
- Securities data: details of securities held by you.
- Pension schemes data: details of pension schemes held by you.
- Miscellaneous: further information as may be required to comply with applicable anti-money laundering and counter-terrorist financing laws and regulations.
Purposes and Legal Bases
Depending on the context of your interactions with us, we use the information we have about you in the following ways and for the following purposes:
- To establish and maintain companies for our Clients, and to provide the Services in compliance with the provisions of all applicable laws and regulations, such as:
- the Companies Act 2014, as amended;
- the Taxes Consolidation Act 1997 (as amended);
- the European Union (Anti-Money Laundering: Beneficial Ownership of Corporate Entities) Regulations 2019;
- the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010, as amended by the Criminal Justice Acts 2013 and the CJA 2018 (the “CJA 2010 to 2018”);
- the Law of 12 November 2004 on the fight against money laundering and terrorist financing, as amended (the “AML Law”);
- the Grand Ducal Regulation of 1 February 2010 providing details on certain provisions of the AML Law, as amended (the “AML GDR”);
- the CSSF Regulation N 12-02 of 14 December 2012 on the fight against money laundering and terrorist financing (the “CSSF Regulation”);
- financial sanctions related obligations;
- the Market Abuse Regulation (Regulation EU No. 596/2014); and
- applicable laws and regulations in the field of employment law;
- To perform contracts that have been entered into by Clients, such as those pertaining to the operation and maintenance of bank accounts, or involving financial transactions of various types;
- To perform contracts that we have entered into with you, such as employment contracts;
- To ensure the personal health, safety and continued professional development of employees;
- To ensure that the ongoing needs of Cafico International in the area of recruitment are met;
- To ensure that access to the offices of Cafico International, and to personal data and other confidential information maintained by Cafico International on its systems and records, is monitored in an appropriate manner;
- To develop and maintain professional business relationships with you, where you act for or on behalf of a provider of professional services, such as legal or audit services; and
- For direct marketing purposes, such as providing you with updates on business developments with respect to Cafico International or relevant industry updates, unless you have objected to us using your details in this way.
We rely on three separate legal bases to lawfully process your personal data, which are as follows:
- compliance with a legal obligation;
- contractual necessity; and
- legitimate interests.
You have choices about the data we collect. For further information in this regard, please refer to the section titled ‘Data Subject Rights’ below.
Where do we Obtain and Store your Personal Data?
You provide some of this data directly. Information is provided by you:
- When you respond to a request pertaining to compliance with legal obligations, for example in the area of company law, anti-money laundering and counter-terrorist financing laws and regulations, market abuse regulations, taxation laws and regulations;
- When you are or may be appointed as a director, officer, duly appointed attorney, legal representative or authorised signatory of a Client company, are a customer or employee of a Client company, or subscribe for shares in or are an ultimate beneficial owner of a Client company;
- When you enter into an employment relationship with Cafico International, or when you send us a copy of your resume or curriculum vitae for recruitment purposes;
- When you act on behalf of a professional adviser or a service provider to a Client company;
- When you send us your information in a professional or personal capacity to enquire about the provision by Cafico International of services to your company, or to another party.
We also obtain data from third parties. These third-party sources vary over time, but have included:
- Data vendors, such as those providing information on filings made with the Companies Registration Office in Ireland, with the Companies House in the United Kingdom, and Registre de Commerce et des Sociétés in Luxembourg;
- Recognised screening tools which are used to supplement the data collected for the purposes of compliance with anti-money laundering and counter-terrorist financing laws and regulations, in addition to compliance with financial sanctions obligations;
- Data obtained directly from Clients;
- Legal advisors that have been engaged for the purposes of the establishment of a company, or the completion of a transaction;
- The parent or affiliated companies of Clients, and other third parties involved in Client transactions;
- Previous service providers to an existing third-party company, in circumstances where files are transferred to us as the incoming service provider;
- Where you have chosen to make your information publicly available on social media, we use this information to assist us in our efforts to comply with applicable anti-money laundering and counter-terrorist financing laws and regulations;
- For recruitment purposes, from recruitment agencies and/or recruitment websites and social media applications; and
- Publicly available sources such as open government or regulator databases, or other data in the public domain.
The personal data that we process can be stored on the systems of Cafico International, on Client systems, or on third-party systems accessed by Cafico International for the purposes of providing Services.
Special Categories of Personal Data
Where we act as data controller in respect of any special category of personal data, we do so in complete compliance with the Article 9 requirements of the GDPR and have appropriate safeguards and protections in place to protect such personal data. Special category personal data will only be processed where necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law.
We rely on several legitimate interests in using and sharing your personal information. These interests include facilitating the day-to-day business operations of Cafico International, and the Clients to which it provides Services. Examples in this regard include:
- The provision of information to appointed legal counsel, and auditors of Client companies, in addition to further third parties to transactions entered into by Clients to facilitate their compliance with the provisions of applicable anti-money laundering and counter-terrorist financing laws and regulations;
- The performance of contracts that have been entered into by Client companies;
- The maintaining of contact details for marketing purposes in terms of the development of professional business relationships;
- The necessity to provide a safe place of work and to attend to the well-being, safety and continued professional development of employees;
- Recruitment needs of Cafico International;
- Appropriate monitoring of access to the offices of Cafico International, and to personal data and other confidential information maintained by Cafico International on its systems and records.
Data Subject Rights
The GDPR provides a number of rights with respect to how the personal data of data subjects is used including rights of access, rectification, erasure, restriction, data portability and objection.
- Right of Access
Data subjects are entitled to obtain details concerning the processing of their personal data and to have access to a copy of any personal data that is processed in an easily accessible format.
- Right of Rectification
Data subjects are entitled to have inaccurate personal data concerning them rectified without undue delay, and, taking into account the purposes of the processing, to have incomplete personal data completed.
- Right of Erasure (Right to be Forgotten)
Data subjects have the right to have their personal data erased without undue delay in specified circumstances. This is known as the right of erasure or ‘the right to be forgotten’. These circumstances include:
- The personal data is no longer necessary in relation to the purposes for which it was collected;
- The data subject withdraws consent and there are no other legal bases for processing;
- In the case of reliance on legitimate interests as a ground for processing and in circumstances where an objection is raised by the data subject, there are no overriding legitimate grounds for the processing;
- The personal data has been unlawfully processed;
- The personal data has to be erased for compliance with a legal obligation under European Union or Member State law; or
- The personal data has been collected in relation to the offer of information society services to a child.
The right to erasure is not available where the processing of the relevant personal data is necessary:
- For the purposes of exercising the right of freedom of expression and information;
- For compliance with a European Union or Member State legal obligation which requires processing by law and to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- For reasons of public interest in the area of public health;
- For certain archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
- For the establishment, exercise or defence of legal claims.
- Restriction of Processing
There are four instances in which a data subject is entitled to restrict processing of his or her personal data as an alternative to erasure:
- The accuracy of the personal data is contested by the data subject, in which case the processing is restricted for a period enabling the controller to verify the accuracy of the personal data;
- The processing of the personal data is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of its use instead;
- The controller no longer needs the personal data for the purposes of the processing, but the personal data is required by the data subject for the establishment, exercise or defence of legal claims, and
- The data subject has objected to processing pending verification whether the legitimate grounds of the controller override those of the data subject.
Where processing has been restricted, continued processing, with the exception of storage, may only occur in the following cases:
- The data subject consents;
- The processing is necessary for the exercise or defence of legal claims;
- The processing is necessary for the protection of the rights of other individuals or legal persons; or
- The processing is necessary for public interest reasons.
You are entitled to be notified by us before any restriction on processing is lifted.
- Data Portability
This right enables you to receive personal data concerning you, in a structured, commonly used and machine-readable format, and to transmit that data to another controller without hindrance from us. This right only applies where processing is based on your consent or on the performance of a contract, and the processing is carried out by automated means.
- Right to Object to Data Processing
Data subjects have a right to object to the processing of their personal data in the following circumstances:
- Where processing is based on legitimate interest grounds or because it is necessary for a public interest task/official authority. The controller is required to cease processing unless it demonstrates compelling legitimate grounds for the processing which override the rights of the data subject or the processing is necessary for the defence of legal claims;
- Processing for direct marketing purposes. No further processing may occur once an objection has been received; and
- Processing for scientific or historical research or statistical purposes. Processing may only occur following an objection if the processing is necessary for the performance of a task carried out for reasons of public interest.
- Rights in relation to Automated Processing, including Profiling
Data subjects have a right not to be subject to a decision based solely on automated processing, which includes profiling. This right does not apply if the decision:
- Is necessary for entering into, or performance of, a contract between the data subject and a data controller;
- Is authorised by law which lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, or
- Is based on the data subject’s explicit consent.
- Right to Withdraw Consent
Data subjects have a right to withdraw consent, where consent is relied upon as the legal bases for processing.
Requests in relation to the enforcement of your rights will be responded to free of charge and within 30 days of receipt of the request. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
Further Information with respect to your Rights and the Legal Bases of Processing relied upon by Cafico International
- Reliance on Compliance with a Legal Obligation
These grounds may be relied upon where the bases for processing is laid down in a relevant Irish, Luxembourg or European Union law or regulation.
You do not have a right to erasure of your personal data, to data portability or to object to the processing of your personal data where we are relying on the grounds of compliance with a legal obligation with respect to the processing of your personal data.
- Reliance on the Grounds of Contractual Necessity
These grounds may be relied upon where we have entered into a contract with you, in respect of the performance/execution of such contract, and includes steps taken at your request prior to the entering into of the contract.
You do not have a right to object to the processing of your personal data where we are relying on the grounds of contractual necessity for such processing, but you do have a data portability right.
- Reliance on the Grounds of Legitimate Interests
You may object to the processing of your personal data where we are relying on the grounds of legitimate interests for such processing. Your right of objection is absolute where these grounds are relied upon for marketing purposes. In all other circumstances, we can override your objection if we can demonstrate an overriding compelling legitimate ground.
A right of data portability does not apply where we are relying on the grounds of legitimate interests in relation to the processing of your personal data.
Automated Decision Making
We will not use your personal data for automated decision-making purposes (including profiling).
Recipients and Categories of Recipients
We share information we have about you in accordance with this data privacy notice:
- With third party service providers engaged by Cafico International, such as the providers of health care or pension scheme solutions. In such cases, these service providers must abide by data privacy and security requirements which are at least equivalent to the standards applied by Cafico International;
- With other professional advisers to or service providers of Clients for the purposes of providing the Services:
- as may be necessary in connection with the performance of contractual obligations, or
- in circumstances where information is provided to facilitate compliance with applicable anti-money laundering and counter-terrorist financing obligations.
- With third parties generally when you have requested us to do so; and
- When we have a good faith belief that doing so is necessary to comply with applicable law or respond to valid legal process, including from law enforcement or other governmental agencies.
Websites and Cookies
No personal information is collected about general visitors to the website of Cafico International. However, your browser supplies some basic information about your visit. The collection of this information is common practice and is used to analyse and understand how the website is being used. The following information is logged: IP address (the internet address of your computer), date and time of your visit, the type of computer, browser and operating system you are using, the URL’s of websites that referred you to the website and the path you take through the website.
Third Country Transfers
When acting as a data controller, we may, for the purposes outlined in this data privacy notice, transfer your personal data outside of the European Economic Area (“EEA”) provided such transfer is to a recipient who (i) is located in a country that the European Commission deems to provide an adequate level of protection for personal data, or (ii) is subject to an agreement, derogation or other legal act which allows for the lawful transfer of personal data outside of the EEA.
Where transfers outside of the EEA are made for Clients, these will be carried out in accordance with the exact terms of processing agreed between the Client and Cafico International, which may for example include model contractual clauses.
We will retain your information only for as long as necessary for the purposes set out in this data privacy notice, for as long as your business or professional relationship with us is active, or as needed to provide you services, or for other essential purposes such as complying with applicable laws and regulations, resolving disputes or for the establishment, exercise or defence of legal claims.
Security of Personal Data
Cafico International is committed to protecting the security of your personal data. We use a variety of security technologies and procedures to help protect your personal data from unauthorised access, alternation, disclosure or destruction. For example, we store personal data you provide on computer systems that have limited access and which are located in controlled facilities.
Appointment of a Data Protection Officer
Pursuant to the GDPR, it is mandatory to designate a Data Protection Officer (“DPO”) in the following circumstances:
- where the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- where the core activities of the controller or the processor consist of regular and systematic monitoring of data subjects on a large scale; or
- where the core activities of the controller or the processor consist of processing on a large scale of special categories of data and personal data relating to criminal convictions.
As these circumstances do not apply to us, you are advised that a DPO has not been appointed for the purposes of GDPR.
You have the right to file a complaint against us with the Irish Data Protection Commissioner in Ireland or with the Commission Nationale pour la Protection des Données in Luxembourg. You may also complain to your local supervisory authority. You can find your local supervisory authority on https://ec.europa.eu/info/law/law-topic/data-protection. We would, however, appreciate the opportunity to deal with your concerns in advance. Our contact information is provided below.
Statutory or Contractual Requirement to provide Information
When collecting your personal data is mandatory (either under applicable law or in accordance with a contractual requirement), this will be stated at the time of collection of the personal data.
Changes to this Data Privacy Notice
We will update this data privacy notice when necessary to reflect feedback from you or changes to the services we provide or the way in which we process personal data. When we post changes to this data privacy notice, we will revise the “Last Updated” date at the top of this data privacy notice. If there are material changes to this data privacy notice or in how we will use your personal data, we will notify you by prominently posting a notice of such changes before they take effect. We encourage you to periodically review this data privacy notice to learn how Cafico International is protecting your information.
How to Contact Us
If you have a privacy concern, question or complaint, or you wish to exercise any of your rights as a data subject, please contact us
In Ireland, by telephone on 00353 1 905 8020.
In Luxembourg, by telephone on 00352 27 86 29 50.